• United States



by Anuradha Shukla

91% of targeted attacks start with spear-phishing email

May 28, 20132 mins
CybercrimeData and Information SecurityMalware

Ninety-one percent of targeted attacks start with spear- phishing email, according to a newly released research by Trend Micro.

Spear-phishing emails contain a malicious attachment exploiting a Microsoft Office vulnerability (CVE-2012-0158).

These emails are part of the operations of an emerging and active targeted threat called Safe campaign, the operations of which are documented in the research paper by Trend Micro.

These spear-phishing emails contain a malicious attachment and encourage a recipient to open a harmful attachment by attracting him with contextually relevant content.

From a threat perspective, Trend Micro has identified five key target organisations including government ministries, technology companies, media outlets, academic research institutions and non-governmental agencies.

Threats are not new and IT departments have already seen various kinds of advanced persistent threats (APTs) or malware-based espionage attacks that have been around for years.

Recent years have seen “noisier” campaigns within the security community, and now are learning to combat the emerging new and smaller campaigns.

Trend Micro has not determined the total number of victims in the campaign but apparently, about 12,000 unique IP addresses spread over more than 100 countries were connected to two sets of command-and-control (C&C) infrastructures related to this threat and the average number of actual victims was counted at 71 per day.

Defence strategy

As this threat identified by Trend Micro has the potential to affect people all across the world, enterprises should focus on detecting and mitigating attacks and leverage core components of a defence strategy as presented by the report.

Businesses can use logs from endpoint, server, and network monitoring to gain a view of the activities within an organisation. This information can be processed for anomalous behaviours and eventually indicate a targeted attack.

Integrity checks should be performed as malware will make modifications to the file system and registry in order to maintain persistence.

Enterprises should also empower human analysts and also leverage technologies available today to gain visibility, insight, and control over networks to defend against targeted threats.

Once an attack is identified, the cleanup strategy should focus on determining the attack vector and cut off communications with the command-and-control (C&C) server.

IT department should then also determine the scope of the compromise and assess the damage by analysing the data and forensic artifacts available on compromised machines.